-------- Original Message -------- Subject: Re: [qmailadmin] Qmailadmin login page vulnerable to XSS Date: Sun, 23 Jan 2005 09:10:55 -0800 From: Tom Collins <[EMAIL PROTECTED]> Reply-To: qmailadmin@inter7.com To: qmailadmin@inter7.com References: <[EMAIL PROTECTED]>
On Jan 23, 2005, at 8:23 AM, David Chaplin-Loebell wrote:
I've been meaning to mention for a while now that the "domain" field (at minimum) in the qmailadmin login form is vulnerable to cross-site scripting attacks via get.
For example, try this link:
http://mail.inter7.com/cgi-bin/qmailadmin? domain='")<script>alert('This%20script%20is%20vulnerable%20to%20XSS')</ script>
While this is probably only a minor security problem, it seems like something that ought to be fixed. I unfortunately don't have the knowledge necessary to patch it (I don't speak C).
Easy solution. Upgrade to 1.2.4. Excerpt from 1.2.4's ChangeLog:
- Add printh.c, new routines for generating HTML-safe and CGI-safe strings. - Changes to almost all .c and .html files to make use of printh routines. QmailAdmin should now properly handle email addresses that contain special characters (like '+' and '&'), including domain admin addresses. It now also escapes user-supplied text to avoid possible HTML-insertion and cross site scripting attacks.
So, I tried your example on my server and found that it still popped a dialog box! Further investigation showed that some vpopmail code (in vlimits.c) was printing an error message that included the string.
Here's a patch for vlimits.c to fix that. It will be in the next vpopmail release. It looks like we need to go through and change a lot more printfs in vpopmail to go to stderr as well.
(word wrapping may break the patch -- you may need to make the changes manually)
--- vlimits.c 12 Dec 2003 16:10:58 -0000 1.10 +++ vlimits.c 23 Jan 2005 17:05:04 -0000 1.10.2.1 @@ -288,7 +288,7 @@
/* extract the dir, uid, gid of the domain */
if (vget_assign(mydomain, dir, sizeof(dir), &uid, &gid) == NULL) {
- printf ("Error. Domain %s was not found in the assign file\n",
mydomain);
+ fprintf (stderr, "Error. Domain %s was not found in the assign
file\n", mydomain);
return (-1);
}@@ -332,7 +332,7 @@
/* get the dir, uid and gid of the nominated domain */
if (vget_assign(mydomain, dir, sizeof(dir), &uid, &gid) == NULL) {
- printf ("Error. Domain %s was not found in the assign
file\n",mydomain);
+ fprintf (stderr, "Error. Domain %s was not found in the assign
file\n",mydomain);
return(-1);
}Recompile vpopmail, upgrade to qmailadmin 1.2.4 or later, and it will take care of the XSS vulnerability.
-- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ Info on the Sniffter hand-held Network Tester: http://sniffter.com/
